Vendor CVEs
Microsoft
All CVEs
14,319 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42907 | Med | 0.42 | 6.5 | 0.01 | Jun 9, 2026 | Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information locally. | ||
| CVE-2026-42903 | Med | 0.42 | 6.5 | 0.01 | Jun 9, 2026 | Null pointer dereference in Windows Kerberos allows an authorized attacker to deny service over a network. | ||
| CVE-2026-47655 | Med | 0.42 | 6.5 | 0.01 | Jun 4, 2026 | Exposure of sensitive information to an unauthorized actor in Microsoft Graph allows an authorized attacker to disclose information over a network. | ||
| CVE-2026-47644 | Med | 0.42 | 6.5 | 0.01 | Jun 4, 2026 | Improper neutralization of special elements in output used by a downstream component ('injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2026-42824 | Med | 0.42 | 6.5 | 0.08 | Jun 4, 2026 | Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2026-42827 | Med | 0.42 | 6.5 | 0.01 | May 22, 2026 | Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2026-42899 | Hig | 0.42 | 7.5 | 0.02 | May 12, 2026 | Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network. | ||
| CVE-2026-42891 | Med | 0.42 | 6.5 | 0.00 | May 12, 2026 | User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2026-42830 | Med | 0.42 | 6.5 | 0.00 | May 12, 2026 | Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. | ||
| CVE-2026-40374 | Med | 0.42 | 6.5 | 0.01 | May 12, 2026 | Exposure of sensitive information to an unauthorized actor in Power Automate allows an authorized attacker to disclose information over a network. | ||
| CVE-2026-35422 | Med | 0.42 | 6.5 | 0.01 | May 12, 2026 | Authentication bypass using an alternate path or channel in Windows TCP/IP allows an authorized attacker to bypass a security feature over a network. | ||
| CVE-2026-34350 | Med | 0.42 | 6.5 | 0.01 | May 12, 2026 | Null pointer dereference in Windows Storport Miniport Driver allows an unauthorized attacker to deny service over a network. | ||
| CVE-2026-33116 | Hig | 0.42 | 7.5 | 0.02 | Apr 14, 2026 | Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a network. | ||
| CVE-2026-32203 | Hig | 0.42 | 7.5 | 0.02 | Apr 14, 2026 | Stack-based buffer overflow in .NET and Visual Studio allows an unauthorized attacker to deny service over a network. | ||
| CVE-2026-32178 | Hig | 0.42 | 7.5 | 0.02 | Apr 14, 2026 | Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2026-32151 | Med | 0.42 | 6.5 | 0.01 | Apr 14, 2026 | Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information over a network. | ||
| CVE-2026-27925 | Med | 0.42 | 6.5 | 0.00 | Apr 14, 2026 | Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an unauthorized attacker to disclose information over an adjacent network. | ||
| CVE-2026-26171 | Hig | 0.42 | 7.5 | 0.02 | Apr 14, 2026 | Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network. | ||
| CVE-2026-26155 | Med | 0.42 | 6.5 | 0.01 | Apr 14, 2026 | Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability | ||
| CVE-2026-26136 | Med | 0.42 | 6.5 | 0.01 | Mar 19, 2026 | Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2026-26120 | Med | 0.42 | 6.5 | 0.01 | Mar 19, 2026 | Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over a network. | ||
| CVE-2026-25667 | Hig | 0.42 | 7.5 | 0.03 | Mar 19, 2026 | ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing. | ||
| CVE-2026-21527 | Med | 0.42 | 6.5 | 0.09 | Feb 10, 2026 | User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2025-64670 | Med | 0.42 | 6.5 | 0.01 | Dec 9, 2025 | Exposure of sensitive information to an unauthorized actor in Microsoft Graphics Component allows an authorized attacker to disclose information over a network. | ||
| CVE-2025-62473 | Med | 0.42 | 6.5 | 0.01 | Dec 9, 2025 | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2025-62465 | Med | 0.42 | 6.5 | 0.00 | Dec 9, 2025 | Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally. | ||
| CVE-2025-62463 | Med | 0.42 | 6.5 | 0.00 | Dec 9, 2025 | Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally. | ||
| CVE-2025-62206 | Med | 0.42 | 6.5 | 0.01 | Nov 11, 2025 | Exposure of sensitive information to an unauthorized actor in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2025-60722 | Med | 0.42 | 6.5 | 0.01 | Nov 11, 2025 | Improper limitation of a pathname to a restricted directory ('path traversal') in OneDrive for Android allows an authorized attacker to elevate privileges over a network. | ||
| CVE-2025-60708 | Med | 0.42 | 6.5 | 0.00 | Nov 11, 2025 | Untrusted pointer dereference in Storvsp.sys Driver allows an authorized attacker to deny service locally. | ||
| CVE-2025-59259 | Med | 0.42 | 6.5 | 0.01 | Oct 14, 2025 | Improper validation of specified type of input in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network. | ||
| CVE-2025-59257 | Med | 0.42 | 6.5 | 0.01 | Oct 14, 2025 | Improper validation of specified type of input in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network. | ||
| CVE-2025-59244 | Med | 0.42 | 6.5 | 0.01 | Oct 14, 2025 | External control of file name or path in Windows Core Shell allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2025-59214 | Med | 0.42 | 6.5 | 0.02 | Oct 14, 2025 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2025-59185 | Med | 0.42 | 6.5 | 0.01 | Oct 14, 2025 | External control of file name or path in Windows Core Shell allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2025-58739 | Med | 0.42 | 6.5 | 0.01 | Oct 14, 2025 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2025-58729 | Med | 0.42 | 6.5 | 0.01 | Oct 14, 2025 | Improper validation of specified type of input in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network. | ||
| CVE-2025-58717 | Med | 0.42 | 6.5 | 0.01 | Oct 14, 2025 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2025-55700 | Med | 0.42 | 6.5 | 0.01 | Oct 14, 2025 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2025-55225 | Med | 0.42 | 6.5 | 0.01 | Sep 9, 2025 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2025-54097 | Med | 0.42 | 6.5 | 0.01 | Sep 9, 2025 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2025-54096 | Med | 0.42 | 6.5 | 0.01 | Sep 9, 2025 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2025-54095 | Med | 0.42 | 6.5 | 0.01 | Sep 9, 2025 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2025-53809 | Med | 0.42 | 6.5 | 0.01 | Sep 9, 2025 | Improper input validation in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network. | ||
| CVE-2025-53806 | Med | 0.42 | 6.5 | 0.01 | Sep 9, 2025 | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2025-53798 | Med | 0.42 | 6.5 | 0.01 | Sep 9, 2025 | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2025-53797 | Med | 0.42 | 6.5 | 0.01 | Sep 9, 2025 | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2025-53796 | Med | 0.42 | 6.5 | 0.01 | Sep 9, 2025 | Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | ||
| CVE-2025-47997 | Med | 0.42 | 6.5 | 0.01 | Sep 9, 2025 | Concurrent execution using shared resource with improper synchronization ('race condition') in SQL Server allows an authorized attacker to disclose information over a network. | ||
| CVE-2025-55242 | Med | 0.42 | 6.5 | 0.01 | Sep 4, 2025 | Exposure of sensitive information to an unauthorized actor in Xbox allows an unauthorized attacker to disclose information over a network. |
- risk 0.42cvss 6.5epss 0.01
Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information locally.
- risk 0.42cvss 6.5epss 0.01
Null pointer dereference in Windows Kerberos allows an authorized attacker to deny service over a network.
- risk 0.42cvss 6.5epss 0.01
Exposure of sensitive information to an unauthorized actor in Microsoft Graph allows an authorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Improper neutralization of special elements in output used by a downstream component ('injection') in Copilot Chat (Microsoft Edge) allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.08
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Improper neutralization of special elements used in a command ('command injection') in M365 Copilot allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 7.5epss 0.02
Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.
- risk 0.42cvss 6.5epss 0.00
User interface (ui) misrepresentation of critical information in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network.
- risk 0.42cvss 6.5epss 0.00
Untrusted search path in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
- risk 0.42cvss 6.5epss 0.01
Exposure of sensitive information to an unauthorized actor in Power Automate allows an authorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Authentication bypass using an alternate path or channel in Windows TCP/IP allows an authorized attacker to bypass a security feature over a network.
- risk 0.42cvss 6.5epss 0.01
Null pointer dereference in Windows Storport Miniport Driver allows an unauthorized attacker to deny service over a network.
- risk 0.42cvss 7.5epss 0.02
Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a network.
- risk 0.42cvss 7.5epss 0.02
Stack-based buffer overflow in .NET and Visual Studio allows an unauthorized attacker to deny service over a network.
- risk 0.42cvss 7.5epss 0.02
Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network.
- risk 0.42cvss 6.5epss 0.01
Exposure of sensitive information to an unauthorized actor in Windows Shell allows an authorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.00
Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an unauthorized attacker to disclose information over an adjacent network.
- risk 0.42cvss 7.5epss 0.02
Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.
- risk 0.42cvss 6.5epss 0.01
Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability
- risk 0.42cvss 6.5epss 0.01
Improper neutralization of special elements used in a command ('command injection') in Microsoft Copilot allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to perform tampering over a network.
- risk 0.42cvss 7.5epss 0.03
ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.
- risk 0.42cvss 6.5epss 0.09
User interface (ui) misrepresentation of critical information in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
- risk 0.42cvss 6.5epss 0.01
Exposure of sensitive information to an unauthorized actor in Microsoft Graphics Component allows an authorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.00
Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally.
- risk 0.42cvss 6.5epss 0.00
Null pointer dereference in Windows DirectX allows an authorized attacker to deny service locally.
- risk 0.42cvss 6.5epss 0.01
Exposure of sensitive information to an unauthorized actor in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Improper limitation of a pathname to a restricted directory ('path traversal') in OneDrive for Android allows an authorized attacker to elevate privileges over a network.
- risk 0.42cvss 6.5epss 0.00
Untrusted pointer dereference in Storvsp.sys Driver allows an authorized attacker to deny service locally.
- risk 0.42cvss 6.5epss 0.01
Improper validation of specified type of input in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network.
- risk 0.42cvss 6.5epss 0.01
Improper validation of specified type of input in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network.
- risk 0.42cvss 6.5epss 0.01
External control of file name or path in Windows Core Shell allows an unauthorized attacker to perform spoofing over a network.
- risk 0.42cvss 6.5epss 0.02
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.
- risk 0.42cvss 6.5epss 0.01
External control of file name or path in Windows Core Shell allows an unauthorized attacker to perform spoofing over a network.
- risk 0.42cvss 6.5epss 0.01
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.
- risk 0.42cvss 6.5epss 0.01
Improper validation of specified type of input in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network.
- risk 0.42cvss 6.5epss 0.01
Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Improper input validation in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network.
- risk 0.42cvss 6.5epss 0.01
Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Buffer over-read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Concurrent execution using shared resource with improper synchronization ('race condition') in SQL Server allows an authorized attacker to disclose information over a network.
- risk 0.42cvss 6.5epss 0.01
Exposure of sensitive information to an unauthorized actor in Xbox allows an unauthorized attacker to disclose information over a network.
Page 150 of 287